The internet cybercrime problem can be illustrated by comparing cyber security to sports. In any sport, individuals or teams compete in a game with rules. Without exception, sporting events from baseball to the Olympic Games require a 3rd party to act as an independent arbitrator, ensuring that the rules of the game are enforced.
When managers of highly sensitive government networks, financial institution websites, electronic health records (EHR) contractors, or online retailers allow employees or customers access to their cyber infrastructure, the relationship is naturally adversarial in a way similar to a sporting event. In order for a computer network controller to grant an employee access to a remote workstation, the employee must confirm their identity by using a password, biometric scan, or 2-factor login procedure. The network controller and employee are, at the moment of the identity verification, opponents on a cyber-playing field. The missing element in this scenario is an independent 3rd party to act as a ‘referee.’
Of the current methods used for online identity verification, passwords are by far the weakest. Alternatives to passwords include Kerberos 2-factor authentication and conventional biometric methods integrated into modern smartphones and other computing devices (e.g. Apple iPhone 5S™). Neither of these methods are completely trustworthy since the 2 factors or the smartphone can be transferred to another person without the knowledge of computer network administrators granting access privileges or internet websites requiring identity verification. Even though a smartphone uses biometric methods, the original owner of the device may choose to reset or be coerced into resetting the device's biometric reference to that of another person.
Another problem is illustrated by recognizing that a secure computing device (e.g. smartphone) might be lost and then found by a skilled technician who might disassemble the device and compromise any sensitive data stored inside.
Presently, cybersecurity of EHRs is less robust than consumers might expect. One problem is the state of EHRs when they are in storage ‘at rest’ and in transit. Encryption is used but the owner of the keys used to encrypt this data is typically not the person (patient) to whom the EHRs belong.
With online payments, consumers are sometimes frustrated by burdensome procedures involved in cancelling services which are paid from credit cards or other financial accounts at regular, recurring intervals. Sometimes, a recurring draw against an account occurs due to fraud or by mistake.
Finally, younger citizens are typically much more technology savvy than previous generations and prefer to conduct much of their personal business through online means. Online voting in political elections is no different. Some theorize that low voter participation by younger citizens is due in part to the trouble of having to travel to a physical location to cast an in-person vote. Online voting is one of many cases where reliable proof of identity at the moment of action is vital. Online voting cannot emerge without a comprehensive solution to fraud-proof identity verification.
The ability of criminals and cyber-terrorists to infiltrate supposedly well-defended computer networks is well known. In order to successfully breach cyber defenses, criminals or terrorists must execute actions against computer hardware and software that is typically under the complete control of third parties which may include innocent individuals, businesses, or government agencies. As a result, billions of dollars are spent on countermeasures and recovery from breaches.
Less widely recognized problems are also inherent in other online activities, such as those that involve wagering, and other transfers of funds between individuals, such as may occur in online versions of poker, etc.
By way of example, in internet poker, 2 to 10 people typically play each other across a ‘virtual’ poker table. The game is managed from servers operated by an internet poker service provider (or ‘poker website’). The poker website manages communications to and from remote computers that are under the near complete control of the players. It is on the graphical displays of these remote computers that the virtual poker table, avatars for other players, and card graphics are made visible to the player. For innocent players the fact that they control their own computers is of no consequence. But if the ‘player’ as known to the poker website and its regulators is a ‘money mule’ paid by a terror or crime organization (TCO), a significant vulnerability is apparent. A ‘money mule’ is a person hired by a TCO for his or her unblemished identity and separation from the TCO.
Contrast the problem faced by hackers trying to break into computers under the control of someone else, to that faced by a TCO hacking computers entirely under its control. Manipulation of, for example, internet poker games for the purpose of laundering money becomes astonishingly easy.
Consider a criminal enterprise (CE) seeking to offer untraceable electronic banking services to terror and crime organizations (TCOs). The CE uses technology and carefully-designed business processes to exploit the natural properties of internet poker in order to move vast sums of money among thousands of poker accounts in many different countries. The most basic operation performed by the CE is the corruption of internet poker games using 4-way collusion for the purpose of moving money from two poker accounts to two other poker accounts playing at the same virtual poker table.
Regulators in jurisdictions where internet poker is legal such as the Isle of Man, the Alderney Islands, and Gibraltar claim that by recording hand histories and the identities of the players at any virtual poker table, counter-terrorism investigators can determine connections between donors and recipients. They also claim that it is possible to determine the physical location (geo-location) of an online poker player. They further claim that automated anti-collusion detection systems can reliably find instances where two or more players are sharing card values. The fact is, the CE can breach any anti-collusion or global positioning system (GPS) or internet protocol (IP) address geo-location system currently used by internet poker websites.
The following scenario illustrates just one example of how the CE might use weaknesses in the current internet poker business model to implement a large scale money laundering operation. However, it should be appreciated that the concepts described herein are applicable to a wide variety of online activities in which the actual identity and/or location of a user is needed for verification, tracking and/or monitoring purposes.
The CE business process assigns any number of ‘money mule’ accounts to poker games in groups of four. This means that 4 of the 9 to 10 seats at a compromised virtual poker table are CE mule accounts. The mules never actually play the games and may not even be privy to the CE's activities. Experts at CE remotely login to the mules' computers and play games under the identities of those mules. They can also transfer money to and from the mule bank accounts and read emails sent to the mules by the poker website.
For typical money transfers, two of the mule accounts are designated as donors and two are recipients. The CE ‘players’ use technology that allows them to see each others hole cards in an undetectable manner that does not distract from the game in any way. The players can remain focused on the game ensuring, over time, that money moves in the right direction.
Further, specially-designed software used by the CE to generate the four-player games can easily and reliably defeat any automated anti-collusion technique employed by the poker websites or their regulators. This is done by providing each mule with two low-end computers. One computer is ‘clean’ and the other is ‘corrupt’. The clean computer runs the internet poker client software. It contains neither the hack software nor the support software for remote access systems. If regulators require GPS verification of the computer's location, then this technology is included with the clean computer. Since the clean computer does not run any illicit software and possesses the required GPS technology (if it were required), the poker client software will never detect anything suspicious thereby enabling the CE to easily overcome geo-location requirements imposed by the poker websites and their regulators.
The corrupt computer runs all hack software, remote access support software, and the software for a frame grabber that in one implementation grabs the output signal from the clean computer's SVGA port. Keyboard and mouse commands—processed using standard drivers—are sent from the corrupt computer to a clean computer's USB port.
A minimum of three critical software processes are run on the corrupt computer. The first is an encrypted, private, CE-operated communications tool. The second is the ‘card clipping’ software that captures an image of the player's hole cards, transmits it to the CE's server, and retrieves the images of the other three players' hole cards. A private, CE-controlled instant messaging system is built into the card clip application. The third process allows CE ‘players’ (AKA ‘soldiers’) to control the corrupt and clean computers from anywhere in the world—again in an undetectable manner.
The CE uses state-of-the-art technology to manage communication among CE soldiers and the CE leadership. Soldiers can play poker on any computer located anywhere on the internet using a device called a ‘remote access appliance’ (e.g. Bomgar). Appliances such as the Bomgar device allow the CE to control thousands of remote computers without risking discovery by counter-terrorism investigators. By using a hardware appliance, the CE avoids using commercial remote access services such as GoToMyPC.com that could cooperate with law enforcement or counter-terrorism authorities. And, while all communications between CE leaders, soldiers, and cell leaders are undetectable, they are nonetheless encrypted and always sent via means under the complete control of the CE.
Custom server-side software is used to manage all administrative tasks such as maintaining login credentials for mule accounts, internal communications, game-in-progress data distribution, and generating and managing the games. An electronic database is used to persist data.
In one example, the CE business process starts with customer operative A hiring a money mule B. Mule B is instructed to open a conventional bank account and deposit money provided by operative A. Mule B is then instructed to open one or more internet poker accounts, using the mule's legitimate identity and bank account. The same process occurs between mule C and customer operative D in the country where the operative's money is to be transferred. Once the accounts are opened and the mules' identities are verified to the satisfaction of the poker website, mules B and C give the online logins for their bank account, the poker account(s), and email account associated with the poker websites to customer operatives A and D, respectively. Operatives A and D then send the logins to CE personnel using a privately operated, encrypted communication system. Finally, customer operatives A and D provide mules B and C with specially prepared computer hardware and software systems. Once these procedures are complete, the mules just need to keep the computers running and maintain connectivity to the internet. Mules are usually used indefinitely by the customer operatives and will likely be kept “in the dark”, so they may or may not have knowledge of the CE's operations, and may or may not be paid for their services. And if A and B or C and D are compromised, law enforcement or counter-terrorism authorities will have no way of linking operatives A and D because the CE has procedures in place to alter personnel distribution and immediately relocate servers and other traceable technology.
The possibility of money laundering with internet poker presents law enforcement and counter-terrorism authorities with a dilemma. If a money mule is discovered, he or she is unlikely to know anything useful beyond possibly identifying their TCO contact. Furthermore, since the mule doesn't actually play poker, he or she will have no knowledge of the other players at the virtual poker tables. This ensures that authorities will likely bear the expense of an international investigation involving several different foreign jurisdictions.
As this scenario illustrates, current technology and regulatory schemes are not sufficient to keep TCOs from exploiting internet poker. Two innovations are required: (1) a way to remove substantial control of computer hardware and software from an internet poker player while allowing the computer equipment to remain in the possession of the player, and (2) a way to reliably confirm the player's true identity and/or physical location.